Repository Customer Key | Vulnerability Database

ECR Repository should use customer managed keys to allow more control

Images in the ECR repository are encrypted by default using AWS managed encryption keys. To increase control of the encryption and control the management of factors like key rotation, use a Customer Managed Key.

Impact

Recommended Actions

Follow the appropriate remediation steps below to resolve the issue.

Use customer managed keys

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


Resources:
  GoodExample:
    Type: AWS::ECR::Repository
    Properties:
      RepositoryName: "test-repository"
      ImageTagImmutability: IMMUTABLE
      ImageScanningConfiguration:
        ScanOnPush: false
      EncryptionConfiguration:
        EncryptionType: KMS
        KmsKey: "alias/ecr-key"

Use customer managed keys

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18


 resource "aws_kms_key" "ecr_kms" {
 	enable_key_rotation = true
 }
 
 resource "aws_ecr_repository" "good_example" {
 	name                 = "bar"
 	image_tag_mutability = "MUTABLE"
   
 	image_scanning_configuration {
 	  scan_on_push = true
 	}
 
 	encryption_configuration {
 		encryption_type = "KMS"
 		kms_key = aws_kms_key.ecr_kms.key_id
 	}
   }
 

Remediation Links

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository#encryption_configuration